The GDPR and Your School - Hoarding and Generating Data

Under the GDPR’s data protection principles, your school will no longer be able to keep personal data for longer than it is needed.

The GDPR will raise the profile of data protection and the rights of data subjects, including their right to a copy of all the data you hold on them – known as a subject access request or SAR.

Over 20% of schools we surveyed say they have had a subject access request and this is likely to rise under GDPR.

Basically, the more data you hold – no matter how old it is, the more difficult it is for you to comply with the GDPR and the bigger headache subject access requests will be.

Now is the time to review how and what data you store as well as if your school is guilty of generating more data through, for example, poor email management.

Hoarding data Think about what your school does with old data files, are they under the stage, in a confidential cupboard or in rows of filing cabinets? And what happens to old software and system back-ups? If the personal data is no longer needed – and unlikely to be needed, it should be securely destroyed.

Companies such as Shred-it offer on-demand shredding and hard drive destruction services and will come to your school and destroy and remove the data there and then.

Generating even more data I recently spoke to a school that realised, following a subject access request, that it held 15,000 emails on one child. In a five-year school career, it is difficult to imagine how this many emails could be generated about one pupil but poor email management may well be the culprit. Here are two important tips to reducing the data you generate and hoard through email.

Use CC sparingly It is easy to get into the habit of CCing people in, especially through pre-set staff lists, but it should only be used if the other people really need to see the email. Otherwise, you are generating more and more data with each email you send.

Delete emails Never deleting emails is another way of hoarding data. Ask your IT department if they can automate this, train staff to only store the emails they need and add reminders to staff calendars to delete unnecessary emails at the end of each term. Getting staff into this habit will dramatically reduce the number you keep and the amount of personal data your school holds.